b'   June 14, 2002\n\n\n\n\nInformation Technology\n\nCertification of the Reserve\nComponent Automation System\n(D-2002-103)\n\n\n\n\n              Department of Defense\n          Office of the Inspector General\nQuality              Integrity        Accountability\n\x0cAdditional Copies\n\nTo obtain additional copies of this audit report, visit the Web site of the Inspector\nGeneral of the Department of Defense at www.dodig.osd.mil/audit/reports or\ncontact the Secondary Reports Distribution Unit of the Audit Followup and\nTechnical Support Directorate at (703) 604-8937 (DSN 664-8937) or fax\n(703) 604-8932.\n\nSuggestions for Future Audits\n\nTo suggest ideas for or to request future audits, contact the Audit Followup and\nTechnical Support Directorate at (703) 604-8940 (DSN 664-8940) or\nfax (703) 604-8932. Ideas and requests can also be mailed to:\n\n                  OAIG-AUD (ATTN: AFTS Audit Suggestions)\n                  Inspector General of the Department of Defense\n                        400 Army Navy Drive (Room 801)\n                            Arlington, VA 22202-4704\n\nDefense Hotline\n\nTo report fraud, waste, or abuse, contact the Defense Hotline by calling\n(800) 424-9098; by sending an electronic message to Hotline@dodig.osd.mil; or\nby writing to the Defense Hotline, The Pentagon, Washington, DC 20301-1900.\nThe identity of each writer and caller is fully protected.\n\n\n\n\n    Acronyms\n    ASD(C3I)               Assistant Secretary of Defense (Command, Control,\n                              Communications, and Intelligence)\n    CIO                    Chief Information Officer\n    CCA                    Clinger-Cohen Act\n    IPT                    Integrated Product Team\n    IT                     Information Technology\n    PA&E                   Program Analysis and Evaluation\n    PMO                    Program Management Office\n    RCAS                   Reserve Component Automation System\n\x0c\x0c         Office of the Inspector General of the Department of Defense\nReport No. D-2002-103                                                     June 14, 2002\n  (Project No. D2000AS-0212.001)\n\n       Certification of the Reserve Component Automation System\n\n                                   Executive Summary\n\nWho Should Read This Report and Why? Managers who plan, develop, or oversee\nDoD automated information systems will be interested in this report.\n\nBackground. This report is the second in a series evaluating certifications that DoD\nautomated information systems were being developed in accordance with the\nClinger-Cohen Act. During FYs 2000 and 2001, Congress required that the Chief\nInformation Officer, DoD, before approving acquisition Milestones I, II, or III of high-\ncost information systems, evaluate the actions taken related to specific requirements of\nthe Clinger-Cohen Act. To help ensure effective oversight of DoD information\ntechnology investments, Congress included Section 8121(b) in the DoD Appropriations\nAct for FY 2000, which also required the Chief Information Officer, DoD, to inform\nCongress of the certifications and to provide confirmation that DoD Components took\nsteps to meet specific requirements of the Act. The Reserve Component Automation\nSystem has estimated life cycle costs of $2.4 billion for FYs 1996 through 2007.\n\nResults. The Chief Information Officer, DoD, did not report to Congress that\ndevelopment of the Reserve Component Automation System did not fully comply with\nthe intent of the Clinger-Cohen Act. The limitations directly affected three of the five\ninterest items that were specified in Section 8121(b)(2): business process\nreengineering, analysis of alternatives, and performance measures. The Chief\nInformation Officer did not believe the weaknesses for business process reengineering\nand analysis of alternatives were significant enough to withhold congressional\ncertification and no weaknesses were identified for functional performance measures\neven though none were specifically developed. Disclosure of compliance limitations\nwould have provided Congress with a more accurate measure of the progress and\nresults that respective information technology investments made in complying with the\nClinger-Cohen Act. To meet the full intent of the Clinger-Cohen Act, the application\nof business process reengineering and analysis of alternatives principles should be used\nbefore initiating development of any future RCAS increment and functional\nperformance measures should be formally established. Additionally, the risks\nassociated with exchanging unencrypted data files should be reevaluated. Further, out-\nyear funding for the system should be identified and related congressional reporting\nrequirements met. See the finding for the detailed recommendations.\n\nManagement Comments and Audit Response. The Chief Information Officer, DoD,\ngenerally concurred with the audit results and stated that he would develop criteria to\nenable uniform assessments and reporting in conjunction with the Chief Information\nOfficers of the DoD Components. The Army partially concurred with the\nrecommendations on reviewing future system increments, establishing functional\nperformance measures, evaluating the risks associated with the exchange of\nunencrypted data files, and identifying out-year funding for the Reserve Component\nAutomation System. Army comments on the recommendations to review future system\n\x0cincrements and functional performance measures were not clear; therefore, we ask for\nadditional comments. We also request the Army to respond to the recommendation\nconcerning congressional reporting. We request the Army to provide comments on the\nfinal report by July 15, 2002. See the Finding section of the report for a discussion of\nmanagement comments. The complete text of management comments is in the\nManagement Comments section.\n\n\n\n\n                                           ii\n\x0cTable of Contents\n\nExecutive Summary                                                         i\n\n\nIntroduction\n     Background                                                           1\n     Objectives                                                           3\n\nFinding\n     Certification of the Reserve Component Automation System as\n       Compliant with the Clinger-Cohen Act                               4\n\nAppendixes\n     A. Audit Process\n         Scope and Methodology                                           18\n         Prior Coverage                                                  19\n     B. Clinger-Cohen Act of 1996 and Statutory Requirements             20\n     C. Summary of Management Comments on the Finding and\n          Audit Response                                                 22\n     D. Report Distribution                                              27\n\nManagement Comments\n     Assistant Secretary of Defense (Command, Control, Communications,\n       and Intelligence)                                                 29\n     Chief, National Guard Bureau                                        31\n     Chief, Army Reserve                                                 45\n     Army Director of Information Systems for Command, Control\n       Communications, and Computers                                     48\n\x0cBackground\n           In the mid-1990s, Congress passed several items of legislation intended to\n           improve the management and performance of Federal agencies. The reform\n           legislation responded to the inability of Federal agencies to effectively manage\n           the development and production of information technology (IT) systems to meet\n           the needs of functional users. One major reform initiative was the Information\n           Technology Management Reform Act of 1996, which was subsequently retitled\n           the Clinger-Cohen Act of 1996 (CCA). To help ensure appropriate management\n           practices in developing systems, Congress included section 8121(b) in the DoD\n           Appropriations Act, FY 2000. Section 8121(b) required the Chief Information\n           Officer (CIO), DoD, to certify, prior to approval of key acquisition review\n           points (milestones), that the system was being developed in accordance with the\n           CCA. Additionally, the CIO, DoD, was required to notify Congress of system\n           certifications and confirm the performance of specific \xe2\x80\x9cinterest items\xe2\x80\x9d related to\n           CCA tenets. Appendix B provides a summary of the CCA and the specific\n           section 8121(b) requirements.\n\n           DoD Guidance. The specific interest items iterated in section 8121(b) were\n           specifically recognized and required by DoD policy and guidance before the\n           enactment of CCA in 1996. DoD Directive 8000.1, \xe2\x80\x9cDefense Information\n           Management Program,\xe2\x80\x9d October 27, 1992, established policy and\n           responsibilities for business process streamlining and improvements; preparing\n           and validating functional economic analyses, which include analyses of\n           alternatives and investment risk; developing functional process performance\n           measures and assessments; and ensuring appropriate information security. In\n           addition, DoD Directive 8120.1, \xe2\x80\x9cLife-Cycle Management (LCM) of\n           Automated Information Systems (AISs) ,\xe2\x80\x9d January 14, 1993, 1 emphasized the\n           importance of those specific section 8121(b)(2) interest items that are critical in\n           the \xe2\x80\x9cearly-on\xe2\x80\x9d IT development stages, especially those related to improving\n           business processes and examining alternatives and projecting related costs and\n           benefits.\n\n           Acquisition Program Milestones. A milestone is a decision point that\n           separates the major phases of an acquisition program. DoD acquisition policy\n           requires a milestone decision before an acquisition program may progress to the\n           next acquisition phase. The Assistant Secretary of Defense (Command,\n           Control, Communications, and Intelligence) (ASD(C3I)), as the Milestone\n           Decision Authority for major automated information systems approves milestone\n           decisions for high-cost or special interest IT acquisition programs.\n\n           Prior to October 2000, the major milestone phases included Concept\n           Exploration (Phase 0), Program Definition and Risk Reduction (Phase I),\n           Engineering and Manufacturing Development (Phase II), and Production,\n           Fielding/Deployment, and Operational Support (Phase III). In October 2000,\n           DoD substantially revised its acquisition guidance and requirements to reduce\n\n1\n    DoD Directive 5000.1, \xe2\x80\x9cDefense Acquisition,\xe2\x80\x9d March 15, 1996, canceled DoD Directive 8120.1 and\n    incorporated the policies and requirements on life-cycle management for automated information systems.\n\n\n                                                      1\n\x0c            the number of major milestone phases and their associated decision points.\n            DoD also revised acquisition regulations to clearly and effectively implement\n            various aspects of IT reform legislation, including the CCA. Because the\n            Reserve Component Automation System (RCAS) was already in Milestone III\n            before the October 2000 change, the CIO continued to use the existing system of\n            milestone designations for the project.\n\n            Reserve Component Automation System. In 1986, the RCAS was established\n            to provide the Army National Guard and the Army Reserve with a single,\n            extensive, modern automated information system designed to support\n            commanders, staffs, and functional managers in the administration and\n            mobilization of the Army Reserve Component. The mission and vision of the\n            RCAS are to support daily operations, training, and administrative tasks for all\n            Guard and Reserve echelons and to provide timely and more accurate\n            information to plan and support mobilization. When it is fully deployed, the\n            RCAS will link more than 10,500 Guard and Reserve units at more than\n            4000 sites located in all 50 states, the District of Columbia, Guam, Puerto Rico,\n            the Virgin Islands, Europe, and the Pacific Rim.\n\n            In FY 1995, the Army restructured the RCAS project to constrain cost growth\n            and leverage new information technology. The restructured RCAS project\n            consisted of commercial off-the-shelf hardware and office automation software,\n            government off-the-shelf software2, and newly developed software applications\n            that were integrated into a personal computer-based architecture.\n\n            RCAS Increments. The 1995 project restructure also revised the RCAS\n            acquisition strategy to provide an incremental, evolutionary acquisition approach\n            that included development and deployment of capabilities for seven increments.\n            Early project increments provided the necessary infrastructure. Increment 1,\n            approved in September 1996 (Milestone IIIa), provided commercial-off-the-shelf\n            office automation software, classified-capable and unclassified workstations, and\n            wide area network interconnectivity. Increment 2, approved in January 1998\n            (Milestone IIIb), introduced data servers and logistics functional software.\n            Later increments focused on software development to better support several\n            functional areas. Increment 3, approved May 2000 (Milestone IIIc), provided\n            force authorization, security, and training functions. Increment 4/53, approved\n            in July 2001 (Milestone IIId), introduced mobilization planning and occupational\n            health management and added additional force authorization and modernization,\n            human resources, and training management functionality. Increment 6,\n            scheduled for certification for compliance with the requirements of the\n            Clinger-Cohen Act during FY 2002 (Milestone IIIe), will introduce\n            mobilization planning and occupational health management functions. Future\n            increments will implement user requirements in the order of priority established\n            by the Requirements Control Board for the Reserve Components. RCAS was\n\n\n2\n    Software previously developed to military or Federal specification or description and stocked by a\n    distributor, before receiving orders or contracts for its sale.\n3\n    Increments 4 and 5 were combined into a single increment.\n\n\n                                                       2\n\x0c            scheduled to be fully deployed and transitioned to a separate organization within\n            the Reserve Component for life-cycle support by March 2003.\n\n            The estimated life-cycle costs of the RCAS project for Increments 1 through\n            7 for FYs 1996 through 2007 totaled $2.4 billion. Beyond FY 2002, all costs\n            will be user costs with the exception of activities required during the program\n            transition period from the RCAS Project Management Office (PMO) and the\n            contractor to the users and the RCAS software maintainer. The projected return\n            on investment4 for RCAS Increment 3, as approved in May 2000, was 4.5 to 1\n            and the projected return on investment for the entire RCAS project was 5 to 1.\n\n            The ASD(C3I), as the CIO, DoD, certified on March 28, 2000, and on July 3,\n            20015, respectively, that Increment 3 and Increments 4/5 of the Reserve\n            Component Automation System had been developed in accordance with the\n            requirements of the Clinger-Cohen Act.\n\nObjectives\n            The audit objective was to determine whether DoD oversight processes and\n            procedures provided the CIO, DoD, with a sufficient basis to certify that the\n            RCAS was being managed and developed in accordance with the CCA. This\n            report is the second of a series. In a subsequent report, we will assess DoD\n            progress in implementing the CCA and review related management controls. A\n            description of the audit scope and methodology and prior coverage related to the\n            RCAS project is shown in Appendix A.\n\n\n\n\n4\n    Return on investment is the ratio of the present value of benefits to the present value of costs.\n5\n    Section 8121(b) required CIO, DoD, certification during FY 2000. The certification requirement was\n    extended through FY 2001 by Section 8102(b) of the DoD Appropriations Act, FY 2001.\n\n\n                                                         3\n\x0c                    Certification of the Reserve Component\n                    Automation System As Compliant with\n                    the Clinger-Cohen Act\n                    Limitations of the RCAS project efforts for Increments 3 and 4/56 for\n                    compliance with the intent of the CCA were not reported by the CIO,\n                    DoD. The limitations directly affected three of the five interest items\n                    that were specified in Section 8121(b)(2). This condition occurred\n                    because the CIO did not believe that the weaknesses associated with\n                    business process reengineering and the analysis of alternatives were\n                    significant enough to withhold the CCA certification. In addition, the\n                    CIO did not identify any weakness in performance measures even though\n                    the RCAS PMO and the Reserve Components had not established\n                    functional performance measures. Accordingly, Congress was not\n                    informed that the RCAS was not being developed in full compliance with\n                    CCA requirements.\n\nRCAS Certification Process\n           The RCAS project was the first major automated information system in DoD\n           that was subject to the Section 8121(b) certification process. The RCAS was\n           also used to develop a template and a certification procedural process for follow-\n           on projects. The PMO prepared a compliance report for the RCAS project,\n           which summarized the requirements of Section 8121(b), provided background\n           information on the RCAS project, and outlined the actions taken by project\n           officials on the five interest items in Section 8121(b)(2): business process\n           reengineering, analysis of alternatives, economic analysis, performance\n           measures, and information assurance strategy. A review team,7 represented by\n           various staff offices within the OSD, then prepared the congressional\n           certification report for signature, stating that RCAS Increment 3 was being\n           developed in accordance with the CCA. The compliance report and the CIO\n           certification report contained essentially the same information.\n\n           On February 25, 2000, the review team briefed the CIO on the RCAS draft\n           certification report for Congress. The briefing included confirmation of steps\n           taken by the PMO to address each of the five specific congressional interest\n           items.\n\n           During its briefing to the CIO, the review team presented a qualified statement\n           for actions regarding business processing reengineering and the analysis of\n\n6\n    Increments 4 and 5 were combined into a single increment.\n7\n    The review team consisted of action officers from the Office of the Secretary of Defense (Command,\n    Control, Communications, and Intelligence); Director, Program Analysis and Evaluation; Director,\n    Operational Test and Evaluation; and Joint Staff, Director for Command, Control, Communications and\n    Computers (J-6).\n\n\n                                                     4\n\x0calternatives because business process work flows had not been substantially\nredesigned. Additionally, the PMO had not considered a full range of\napproaches for the analysis of alternatives to reduce costs, outsourcing services,\nstreamline operations, or privatize functions.\n\nDespite those weaknesses, the review team recommended that the CIO certify\nRCAS Increment 3 as CCA compliant. According to the review team, the\ncertification report could not qualify or restrict the level of steps taken by the\nPMO for business process reengineering and analysis of alternatives; a\n\xe2\x80\x9cqualified\xe2\x80\x9d or restricted certification was not an option because a project either\ndid or did not meet the CCA certification requirements. The CIO tentatively\napproved the certification during the briefing, thus authorizing the preparation\nof the official certification report and congressional notification letters for\nsubmission to Congress.\n\nThe CIO coordinated the certification report and notification letters with, and\nobtained endorsement by the Office of the Under Secretary of Defense\n(Comptroller); the Office of the Assistant Secretary of Defense for Legislative\nAffairs; the Office of the Deputy Under Secretary of Defense for Program\nIntegration; the Department of the Army, Office of the Director of Information\nSystems for Command, Control, Communications, and Computers; the Office of\nthe Director, Program Analysis and Evaluation (PA&E); the Office of General\nCounsel; the National Guard Bureau, Program Executive Office for Information\nSystems; and the Chairman of the RCAS General Officer Steering Committee.\nThe CIO submitted the certification report to Congress on March 28, 2000.\n\nWe focused on the certification of Increment 3. However, because the CIO\ncertified and submitted the certification report on RCAS Increments 4/5 to\nCongress on July 3, 2001, while the audit was still in progress, we performed a\nlimited review of the certification report on Increments 4/5. We determined\nthat, similar to the certification report for Increment 3, the CIO did not report\nany limitations of the RCAS project efforts for compliance with the intent of\nCCA. Unlike Increment 3, the OSD review team did not provide a formal\ndocumented briefing on its conclusions regarding certification of Increments 4/5\n(Milestone IIId) to the CIO. According to the staff in the Office of the\nAssistant Secretary of Defense (Command, Control, Communications, and\nIntelligence) (ASD[C3I]) staff, Milestone IIId represented a recertification of the\nproject\xe2\x80\x99s compliance with the CCA requirements and that, with the exception of\ndetermining that operations and support for RCAS were insufficiently funded,\nand updating the tables and exhibits in the certification report, no major changes\nor issues occurred after the OSD review team\xe2\x80\x99s assessment of Increment 3.\nBecause the CIO certified Increment 4/5 based on similar efforts performed by\nthe RCAS PMO and assessments made by the OSD review team on Increment 3,\nwe concluded that the concerns presented in the report were also applicable to\nIncrement 4/5.\n\nBecause the RCAS was the first system certified as being developed in\naccordance with the CCA, we believe that the CIO should have established that\ntwo classes of information systems are subject to the requirements of the CCA\nwithin DoD. Specifically, systems that started development or were in an early\nphase of development after the enactment of the CCA in 1996 should fully\n\n                                     5\n\x0c    comply with the CCA. However, systems such as RCAS, which were in an\n    advanced stage of development and deployment when the CCA was enacted,\n    most likely would not fully meet the tenets of the CCA because the opportunities\n    to realize the most substantial benefits from \xe2\x80\x9cup front\xe2\x80\x9d efforts such as business\n    process reengineering or analysis of alternatives were reduced by that time.\n\nBusiness Process Reengineering\n    Confirmation of Business Process Reengineering Certification. Although\n    representatives from the offices of the ASD(C3I) and the Director, PA&E,\n    acknowledged that DoD and the Army had not focused on the use of\n    activity-based costing techniques to simplify or otherwise redesign business\n    processes before investing in RCAS, the certification report to Congress did not\n    clearly explain that RCAS business process reengineering efforts did not\n    completely meet the full intent of the CCA.\n\n    RCAS Business Process Reengineering Efforts. Although the RCAS\n    investment should improve and support work processes to reduce cost, improve\n    effectiveness, and implement Government and commercial off-the-shelf\n    technology, the work processes of the Reserve Components were not fully\n    subjected to business process reengineering.\n\n    The General Accounting Office, \xe2\x80\x9cBusiness Process Reengineering Assessment\n    Guide,\xe2\x80\x9d May 1997, states that a business process can be decomposed into\n    specific activities, measured, modeled, and improved; redesigned; or\n    eliminated. Reengineering identifies, analyzes, and redesigns an organization\xe2\x80\x99s\n    core business processes to achieve dramatic improvements in critical\n    performance measures. In addition, the guide states that dramatic improvements\n    realized by rethinking how the organization\xe2\x80\x99s work should be achieved,\n    distinguishes reengineering from process improvement that focuses on functional\n    or incremental improvement.\n\n    Efforts undertaken by the RCAS PMO to justify information technology\n    investments in the system did not identify, dramatically redesign, and eliminate\n    low or no value-added functions or work processes before deciding to invest in\n    RCAS. The RCAS PMO indicated that such efforts were not a top priority in\n    1989 because the functional users were focused on developing requirements and\n    identifying and documenting pre-automation business processes. According to\n    the PMO, those efforts were not emphasized when OSD reprogrammed the\n    Continental Army Management Information System in 1986 as RCAS or\n    restructured the RCAS project in 1995. The efforts of the RCAS stakeholders\n    and officials related to business process reengineering could, at best, be\n    considered an improvement in the functional process; however, those efforts\n    could not be considered a redesign and reengineering of established business\n    processes or workflows.\n\n    We asked the PMO to provide documentation to show that management\n    considered and took advantage of business process reengineering opportunities\n    before making a commitment and commencing the development or acquisition of\n    software applications that would satisfy the functional requirements for each\n\n                                        6\n\x0c     new RCAS increment. The PMO stated that business process reengineering was\n     a functional community responsibility and did not know whether the Reserve\n     Component functional communities had performed independent business process\n     reengineering analyses for each increment. In essence, the PMO, in conjunction\n     with the functional proponents, had not performed business process\n     reengineering on any of the RCAS increments since the 1996 enactment of the\n     CCA.\n\n     Staffs of the ASD(C3I) and PMO also indicated that business process\n     reengineering was not a primary consideration when the Army reprogrammed\n     the Continental Army Management Information System and renamed it as RCAS\n     in 1986 because the significance of the derived advantages of business process\n     reengineering were not widely recognized and emphasized at that time;\n     however, when the Army restructured the RCAS project in FY 1995, DoD\n     policy required DoD Components to consider business process streamlining.\n\n     The PMO exerted extensive efforts to overcome the inadequacies of existing\n     methods and procedures by proposing to automate inefficient, functionally\n     disconnected, and manual processes. The PMO estimated that about\n     $3.5 billion (94 percent) of the benefits derived from the RCAS included\n     productivity improvements that would result from automating work processes\n     rather than from the functional reengineering or redesign of those processes.\n     Although automation of work processes would require fewer Reserve\n     Component personnel to perform administrative tasks, there was no expectation\n     to reduce the number of personnel. Instead, the Reserve Components planned to\n     use the extra time to provide additional training for personnel.\n\nAnalysis of Alternatives and Economic Analysis\n     Policy. DoD Instruction 7041.3, \xe2\x80\x9cEconomic Analysis for Decision Making,\xe2\x80\x9d\n     November 1995, contains policy for economic analysis and analysis of\n     alternatives. An analysis of alternatives and an economic analysis are directly\n     related; effective use of an analysis of alternatives, in conjunction with an\n     economic analysis, provides a viable basis for evaluating potential solutions and\n     selecting the most cost-effective alternative. The analysis of alternatives\n     generally starts with a broad base of possible solutions to meet a mission need.\n     When the field of possible solutions is narrowed to a few realistic alternatives,\n     the principles of economic analysis and its tools of cost-benefit analysis and\n     return-on-investment are applied to identify the most promising solution.\n\n     Analysis of Alternatives. The PA&E office qualified its assessment of the\n     analysis of alternatives in the February 2000 briefing to the CIO because the\n     August 1996 analysis of alternatives did not consider a full range of alternatives\n     to reduce cost, such as outsourcing specific functions or streamlining or\n     privatizing routine administrative processes. Routine administrative processes\n     include personnel activities, payroll, training, and human resources.\n\n\n\n\n                                          7\n\x0c    According to DoD Instruction 7041.3, each feasible alternative for meeting an\n    objective must be considered and its life-cycle costs and benefits should be\n    evaluated. Alternatives dismissed as \xe2\x80\x9cinfeasible\xe2\x80\x9d must be discussed, but need\n    not be formally compared in the economic analysis.\n\n    The PMO stated that the RCAS was exempt from outsourcing routine\n    administrative processes because the system was established under title 10,\n    United States Code of the Armed Services Program and because it supported\n    numerous inherent Government functions, such as manning, equipping, training,\n    and sustaining the Army\xe2\x80\x99s Reserve Components.\n\n    We acknowledge that the mobilization capability of the RCAS may be an\n    inherent Government function but believe that the routine administrative\n    processes of RCAS are not. The Office of Management and Budget\n    Circular A-76, \xe2\x80\x9cPerformance of Commercial Activities,\xe2\x80\x9d August 4, 1983,\n    (Revised 1999) states that an inherent Government function is a function that is\n    so intimately related to the public interest as to mandate performance by\n    Government employees. The PMO did not provide any documentation to show\n    how RCAS was an inherent Government function. Additionally, the PMO did\n    not consider, in the analysis of alternatives, the opportunity to competitively\n    source the day-to-day, repetitive administrative tasks and work processes of the\n    project and did not discuss the infeasibility of that option.\n\n    Economic Analysis. We examined the related Milestone III economic analysis,\n    dated August 1996, and identified no major deficiencies based on the\n    requirements of DoD Instruction 7041.3. Also, neither the PMO nor the\n    ASD(C3I) presented any economic analysis issues to the CIO during the RCAS\n    certification briefing. However, we noted that the benefits used in the\n    computation of the return on investment consisted of \xe2\x80\x9csoft dollars\xe2\x80\x9d or benefits\n    that could not be quantitatively tracked through the budget process. The PA&E\n    office questioned the amount of actual benefits because benefits were primarily\n    based on productivity gains. Because the return on investment was based on\n    increased productivity, the use of performance measures to assess the functional\n    benefits of the RCAS investment becomes even more important.\n\nPerformance Measures\n    Functional proponents of RCAS did not establish a performance measurement\n    plan to assess functional performance or to identify whether the desired results\n    were being achieved after the deployment of RCAS. Specifically, new\n    processes were not compared against measures of outcome, output, and\n    efficiency of RCAS in order to continually monitor performance and make\n    further refinements. In addition, the PMO did not use benchmarks to assess the\n    efficiency of work process improvements.\n\n    Functional Performance Measures. According to the PMO, proponents did\n    not establish functional performance measures because those measures were not\n    considered a top priority in 1989 when the functional users focused on\n    identifying and documenting pre-automation business processes and translating\n    the results into requirements for RCAS. In addition, user representatives,\n\n                                        8\n\x0c    including members of the customer focus team for RCAS, stated that they did\n    not establish functional performance measures. The CCA requires that\n    performance measurements be prescribed for information technology acquired\n    for or used by the executive agency. The performance measurements should\n    indicate how well the information technology supports projects of the executive\n    agency.\n\n    Although functional proponents established key performance measures for the\n    system\xe2\x80\x99s operational performance, including operational effectiveness and\n    suitability, cost, timeliness, and quality, the measurements, when implemented,\n    did not measure the outcome of the investment in or functional benefits of\n    RCAS. Without functional performance measures, the Army and the Reserve\n    Components would not be able to determine, quantitatively, how well\n    RCAS-improved processes met mission goals, or identified problems in meeting\n    those goals. An example of a functional performance measure may be to show\n    how many soldiers would be relieved of administrative workloads in order to\n    engage in more training because of RCAS automation.\n\n    Benchmarks. Although the CIO certification report stated that benchmarks\n    were used to derive risk-adjusted alternative technical solutions during the 1995\n    project restructure, the PMO did not provide any documentation to support its\n    benchmarking efforts. For benchmarking, the CCA requires that, where\n    comparable processes and organizations in the public or private sectors exist,\n    process performance should be quantitatively benchmarked against such\n    processes in terms of cost, speed, productivity, and quality of outputs and\n    outcomes.\n\n    The General Accounting Office, \xe2\x80\x9cBusiness Process Reengineering Assessment\n    Guide,\xe2\x80\x9d dated May 1997, indicated that benchmarks are instrumental in\n    identifying gaps between an organization\xe2\x80\x99s process performance and that of\n    leading organizations and in understanding how those leaders have changed their\n    structures, work processes, and lines of business to improve performance\n    dramatically.\n\n    According to the RCAS PMO, no documented evidence was available to show\n    that either the functional users or the PMO used benchmarks for existing work\n    processes with internal or commercial organizations. Unless an organization\n    uses benchmarks to measure its process performance with the goals and\n    performance of leading organizations, it is difficult to establish reference points\n    for setting meaningful improvement goals. Benchmarks, when used in\n    conjunction with performance measurement, present a sound method to establish\n    a credible business case for changing work processes of an organization.\n\nInformation Assurance\n    Although the certification testing of RCAS met the requirements of DoD\n    Instruction 5200.40, \xe2\x80\x9cDoD Information Technology Security Certification and\n\n\n\n\n                                         9\n\x0c            Accreditation Process,\xe2\x80\x9d December 30, 1997, and the congressional certification\n            requirements for the CCA, the PMO did not use encryption8 techniques to\n            safeguard sensitive but unclassified data.\n\n            In January 1997, at the request of the RCAS Program Executive Office, the\n            Director of Information Systems for Command, Control, Communications, and\n            Computers, who was the Designated Approving Authority for the RCAS,\n            granted a deferment for deploying data encryption hardware devices, pending\n            final determination of a software encryption or common hardware solution. As\n            of January 2002, the deferment was still in effect.\n\n            We requested and the PMO provided a listing of 28 current and projected\n            system interfaces. Of the 28 interfaces with other systems, 16 data exchanges\n            used File Transfer Protocol, which is a service that supports file transfers\n            between local and remote computers, including the Internet. No documentation\n            was available to indicate that RCAS encrypted any of its data. The PMO stated\n            that electronic external interfaces were not authenticated 9 or encrypted and that\n            engineering efforts were ongoing with the owners of the data to provide security\n            during electronic transmission. Though the data were unclassified, they may\n            have contained sensitive information, such as personnel data, manpower\n            allocation, and force structure. If the data remain unencrypted, system users\n            may be vulnerable to network attacks or compromise, such as eavesdropping\n            and playback.\n\n            The Director of Information Systems for Command, Control, Communications,\n            and Computers and the PMO should review the risks associated with passing\n            unsecured sensitive data and implement encryption technology, such as the\n            Secure Socket Layer, if appropriate, to reduce the risk of inadvertent disclosure\n            of sensitive but unclassified data.\n\nOversight\n            Although the CIO, senior DoD officials, and action officers reviewed key\n            project documents, such as the acquisition strategy, the Operations Concept\n            document (the RCAS project\xe2\x80\x99s operational requirements document), the Test\n            and Evaluation Master Plan, and the Acquisition Program Baseline, the CIO\n            needs to establish uniform criteria to determine compliance with the CCA. The\n            criteria should include the need for the Overarching and Integrating Integrated\n            Product Teams10 to improve their involvement in the certification process.\n\n8\n    Encryption is the transformation of data into a form unreadable by anyone without a secret decryption\n    key and ensures privacy by keeping the information hidden from anyone for whom it was not intended.\n9\n    Authentication is the process of determining the identity of a user attempting to access a system.\n10\n    In 1995, the Under Secretary of Defense for Acquisition, Technology, and Logistics and the ASD(C 3I)\n    issued guidance entitled \xe2\x80\x9cRules of the Road, A Guide for Leading Successful Integrated Product Teams\xe2\x80\x9d\n    that emphasized the importance and advantages of minutes of meetings, what they should include, and\n    that all members of the IPT should be provided final minutes within 2 working days after the deadline\n    for the receipt of comments.\n\n\n                                                        10\n\x0cAdditionally, the CIO and senior DoD officials need to make sure that the Army\ncomplies with congressional direction regarding the absence of funding for\nsustainment operations and support for the RCAS project.\n\nCIO, DoD. The CIO, DoD, certified that Increment 3 of the RCAS project was\ndeveloped in accordance with the CCA, although the basis for the certification\nwas confusing because the CIO had not established universal criteria or a\nconsistent approach to determine the adequacy of compliance with the CCA\nrequirements. The first report in this series, Inspector General, DoD, Report\nNo. D-2001-137, \xe2\x80\x9cCertification of the Defense Civilian Personnel Data\nSystem,\xe2\x80\x9d June 7, 2001, recommended that the CIO clarify and enhance the\ncriteria and approach to be used by DoD Components for determining whether\nmajor automated information systems are developed in accordance with the\nCCA. Therefore, this report will not include a recommendation addressing the\nmatter.\n\nOverall, the CIO could improve oversight responsibilities through periodic\nverification of information provided. Because CIO staff members seldom\nperformed detailed reviews of project documentation, we concluded that prudent\nverification could substantially improve the effectiveness of oversight\nresponsibilities. This report will not include a recommendation addressing this\nmatter because Inspector General, DoD, Report No. D-2000-137 recommended\nthat the CIO strengthen oversight processes, including the process for certifying\nthat major automated information systems are developed in accordance with the\nCCA, by periodically confirming the accuracy and adequacy of information\nreported by DoD Components.\n\nArmy CIO. Absent compliance criteria from the CIO, DoD, the Army CIO\nestablished a checklist, which included Section 8121(b) requirements, to assess\ncompliance with the CCA. In December 1999, the Army CIO approved the\nCCA compliance of Milestone IIIc, Increment 3, based on the PMO self-\nassessment checklist submission that addressed the five interest items outlined in\nthe OSD(C3I) guidance.\nInformation Technology Overarching Integrated Product Team. The\nInformation Technology Overarching Integrated Product Team (Overarching\nIPT) was minimally involved in the oversight of the RCAS. The primary role of\nthe Overarching IPT was to provide advice to the CIO during milestone reviews.\nThe Director, C3I Acquisition (now the Director, Investment and Acquisition),\nOffice of the Deputy Assistant Secretary of Defense (C3I) CIO, chaired the\nOverarching IPT that was composed of senior managers representing the primary\nstaff assistants with an interest in the RCAS. The Overarching IPT included\nsenior managers from the offices of the Under Secretary of Defense for\nAcquisition, Technology, and Logistics; the Under Secretary of Defense\n(Comptroller); the Director, Operational Test and Evaluation; the Director,\nProgram Analysis and Evaluation; the Director, Defense Information Systems\nAgency; the Director, Command, Control, Communications, and Computer\nSystems, Joint Staff; and user representatives.\n\n\n\n\n                                    11\n\x0cAlthough the Overarching IPT reviewed and concurred with draft acquisition\ndecision memorandums before formal RCAS milestone decisions, it did not meet\nduring milestone reviews to discuss the progress and status of the RCAS project\nand did not help identify potential programmatic problems . Instead, the\nOverarching IPT relied on a lower-level, Integrating IPT to provide critical\nRCAS oversight review and direction.\n\nIntegrating Integrated Product Team. The Integrating IPT members indicated\nthat they continuously monitored the RCAS project; however, they were unable\nto provide summaries or minutes of meetings or any memorandums for the\nrecord on the level of input and guidance by representatives on significant\nprogrammatic issues discussed and resolved during reviews.\n\nThe Integrating IPT was co-chaired by the RCAS Project Manager and action\nofficers from the offices of the ASD(C3I); the Director, PA&E; the Director,\nOperational Test and Evaluation; and the Joint Staff. From September 1996\nthrough March 2000, the Integrating IPT met 13 times to monitor program\nstatus, testing strategy, software encryption, information assurance, training,\nincremental fielding and testing issues, and Section 8121(b) certification. The\nIntegrating IPT also tracked action items, audits, reviews, and corrective actions\nto address deficiencies identified by the Inspector General, DoD, and the\nGeneral Accounting Office.\n\nDuring the audit, the Integrating IPT showed improvements in maintaining\ninformative minutes of IPT meetings. For the April 2001 review of RCAS\nMilestone IIId (Increment 4/5), the Integrating IPT produced a memorandum for\nthe record that disclosed the specific issues discussed, actions needed to address\nthose issues, and the next proposed Integrating IPT milestone review.\n\nProgram Funding. Although it had planned to fully deploy RCAS by the end\nof FY 2002 (later changed to March 2003), the Army still had not provided\nfunding for operations and support requirements for the system. In the House\nof Representatives Armed Services Committee (the Committee) Report\nNo. 106-616, \xe2\x80\x9cNational Defense Authorization Act for FY 2001,\xe2\x80\x9d May 12,\n2000, the Committee expressed a concern that, without continued support and\nmodernization, the Army Reserve could experience a serious deterioration in\nreadiness.\n\nThe Committee also expressed concern that the Army had allocated only limited\nfunding for the RCAS project in the Future Years Defense Program. In order to\nensure that the program continued to enable the effective administrative support\nand mobilization capability required by the Reserve Components, the Committee\nexpected the Department of the Army to program sufficient funds for RCAS.\nThe Committee directed the Secretary of Defense to provide a report no later\nthan March 1, 2001, to the Senate and House Committees on Armed Services\ndetailing programmed funds for RCAS for FYs 2002 through 2007. As of\nJune 2002, the Army had not completed and submitted the report to the\nCommittees.\n\nIn the January 2001 Defense Acquisition Executive Summary report, the RCAS\nPMO reported a $765 million unfunded requirement in FYs 2002 through 2007\n\n                                    12\n\x0c    for operations and support required to operate and maintain the RCAS\n    infrastructure. During its Milestone IIId review of Increment 4/5 in April 2001,\n    the Integrating IPT decided that the unfunded requirement should be\n    acknowledged in the CIO certification compliance package and in the\n    Milestone IIId Acquisition Decision Memorandum. Specifically, in the July 2,\n    2001, Milestone IIId Acquisition Decision Memorandum, the Overarching IPT\n    tasked the Army and the RCAS PMO to jointly work towards a strategy to\n    resolve the unfunded requirement. The Army and the RCAS PMO were to\n    report their findings and recommendations to the Overarching IPT and the\n    RCAS General Officer Steering Committee before the end of FY 2001. In\n    addition, the Acquisition Decision Memorandum stated that the RCAS \xe2\x80\x9cOther\n    Procurement\xe2\x80\x9d funding for FY 2002 would not be obligated until the CIO, DoD,\n    reviewed and approved the study and its recommendations.\n\nConclusion\n    The CIO certified that RCAS was developed in accordance with the CCA,\n    although business process reengineering, an analysis of alternatives, and\n    performance measures were not fully compliant with the intent of CCA\n    requirements. Milestone III was too late in the RCAS development process to\n    effectively use and fully capitalize upon these investment tools. The\n    certification report to Congress should have explained that, due to RCAS\n    Milestone III decision point, the project was not fully subjected to steps that\n    could justify more than a qualified confirmation. Disclosure of compliance\n    limitations would have provided a more accurate measure of the progress and\n    results that respective IT investments made in complying with the CCA.\n\n    Also, although RCAS was past the stage where business processes reengineering\n    and an analysis of alternatives could be most useful, performance measures to\n    measure the functional benefits of RCAS after full deployment of the system\n    should still be established and would still be beneficial. Further, the application\n    of business process reengineering and analysis of alternatives principles would\n    still be useful prior to initiating development of any future RCAS increment.\n\nManagement Comments on the Finding and Audit Response\n    Management Comments. The Deputy Chief Information Officer, DoD,\n    concurred and stated that although certain CCA compliance limitations were\n    recognized by DoD officials at the time of certification, achieving full\n    compliance was also recognized as not practical because RCAS development\n    was too advanced to remedy weaknesses that occurred early in the development\n    process.\n\n    On behalf of the National Guard Bureau and the RCAS PMO, the National\n    Guard Chief Information Officer and Program Executive Officer for Information\n    Systems provided consolidated comments that nonconcurred with the finding.\n    The National Guard Chief Information Officer stated that activities related to\n\n\n\n                                        13\n\x0c     each of the interest items were completed before the CCA was enacted and that\n    the efforts followed the regulations, guidance, and best practices that were\n    available at the time.\n\n    Audit Response. We agree that achieving full compliance may not have been\n    practical because RCAS was already at Milestone III and that efforts followed\n    the guidance that existed at the time. The review team also recognized\n    limitations to full compliance. Accordingly, the CIO, DoD, certification that\n    RCAS was being developed in accordance with the CCA should have been\n    appropriately qualified.\n\n    The National Guard Chief Information Officer disagreed with other aspects of\n    the finding and discussion. A summary of additional management comments\n    and the audit response is in Appendix C. The full text of all management\n    comments is in the Management Comments section of this report.\n\nRecommendations, Management Comments and Audit\n  Response\n    Revised, Deleted, and Renumbered Recommendations. Based on\n    management comments, we revised draft Recommendation 3.a. to better express\n    our intent. Based on management comments and additional audit work, we\n    deleted draft Recommendation 4.a. Additionally, for clarity, we converted draft\n    Recommendations 3.a. and 3.b. into distinctly separate recommendations.\n    Therefore, draft Recommendations 3.a. and 3.b. have been renumbered as\n    Recommendations 3. and 4., respectively. We also renumbered draft\n    Recommendations 4.b. and 5. to Recommendations 5. and 6., respectively.\n\n    1. We recommend that the Chief Information Officer, DoD, establish policy\n    to report limitations of project efforts for full compliance with the intent of\n    the Clinger-Cohen Act requirements.\n\n    Management Comments. The Deputy Chief Information Officer, DoD,\n    concurred and cited continuing efforts to develop, in coordination with DoD\n    Component Chief Information Officers, specific criteria to enable uniform\n    assessments of Clinger-Cohen Act compliance. Recent efforts include the\n    development, during 2001, of an updated Clinger-Cohen Act certification and\n    confirmation template. Further, two web sites were developed to enhance the\n    procedures and approach used by DoD Components for determining\n    Clinger-Cohen Act compliance.\n\n    Audit Response. Although Clinger-Cohen Act compliance reporting to\n    Congress is no longer required, DoD acquisition guidance continues to require,\n    prior to project initiation or milestone approval by the Milestone Decision\n    Authority, confirmation by DoD Component CIOs that mission-critical or\n    mission-essential information systems are being developed in accordance with\n\n\n\n\n                                       14\n\x0cthe Clinger-Cohen Act. Accordingly, the development of specific criteria\nshould help to obtain more consistent and uniform assessments of Clinger-Cohen\nAct compliance.\n\n2. We recommend that the Chief, National Guard Bureau; the Chief, Army\nReserve; and the Reserve Component Automation System Management\nOfficer review the five Section 8121(b)(2) interest items for the proposed\ncapabilities of Increment 6, as appropriate, and any future increments, and\ndetermine whether the selected solution complies with the intent of the\nrequirements of the Clinger-Cohen Act.\n\nManagement Comments. The National Guard and Army Reserve both\nprovided qualified concurrences. The National Guard stated that business\nprocess reengineering and analysis of alternatives were accomplished during the\nearlier phases of RCAS development and that the reviews performed for each\nRCAS increment validate earlier milestone decisions by ensuring that\nrequirements are satisfied. The Army Reserve stated that it strives to apply the\nprinciples of the Clinger-Cohen Act and to manage its network and associated\nsystems and applications on an enterprise-wide basis. Accordingly, actions\ntaken for RCAS will also be the actions taken on behalf of all Army Reserve\nsystems.\n\nAudit Response. Management comments did not address the intent of the\nrecommendation. We recognize that business process reengineering and\nanalysis of alternative efforts were performed more than 7 years ago and prior\nto the RCAS restructure in 1995. We also recognize that information\ntechnology has changed substantially over those 7 years. For information\ntechnology systems that are incrementally developed over a period of time,\nbusiness processes or technological alternatives for implementing those\nprocesses should be periodically reexamined, as intended by the Clinger-Cohen\nAct. Accordingly, we request that the Chief, National Guard Bureau and the\nChief, Army Reserve reconsider their responses to the recommendation and\nprovide additional comments.\n\n3. We recommend that the Chief, National Guard Bureau and the Chief,\nArmy Reserve require functional proponents of the Reserve Component\nAutomation System to establish functional performance measures to better\nassess both the initial and future impact of RCAS on supported\nfunctionalities.\n\nManagement Comments. The National Guard concurred in principle. The\nNational Guard agreed on the importance of performance measures and stated\nthat functional performance measures relating to administration, interoperability,\nlogistics, and security already exist and are documented. The existing\nperformance measures quantitatively set standards for hundreds of Reserve\nComponent processes and compare attributes of the new RCAS business\nprocesses to the pre-RCAS business process.\n\nThe Army Reserve concurred with the intent of the recommendation, but stated\nthat because RCAS supported only some of the business processes within each\nof the functional areas, measurement of RCAS operations in isolation of other\n\n                                    15\n\x0csupporting systems would potentially be counterproductive or misleading.\nAlternatively, the Army Reserve is pursuing a more holistic means to catalog\nand measure supporting information systems by building an information\ntechnology portfolio, which will identify all systems and applications that\ncontribute to functional mission accomplishment. As a contributor to several\nfunctional areas, RCAS is captured in the Army Reserve\xe2\x80\x99s information\ntechnology portfolio.\n\nAudit Response. Management comments were partially responsive. Although\nthe National Guard indicated that functional performance measures had been\ndeveloped and were in place, the system of measures cited focused on enabling\neconomic analyses and operational testing, rather than on measuring and\nassessing key improvements in each of the 11 functional areas supported by\nRCAS. Some of the existing measures could be used to assess RCAS functional\nperformance and to help track improvements from future RCAS enhancements.\nHowever, it is not clear how the functional contributions provided by RCAS are\nassessed and monitored as part of the Army Reserve information technology\nportfolio. Accordingly, we revised the recommendation to clarify our intent and\nrequest that the National Guard and the Army Reserve provide additional\ncomments on the revised recommendation.\n\n4. We recommend that the Chief, National Guard Bureau and the Chief,\nArmy Reserve assess the risk of exchanging unencrypted files containing\nsensitive data between the Reserve Component Automated System for\nproposed and fielded increments and other networked systems and, if\nappropriate, implement encryption technology.\n\nManagement Comments. The National Guard and Army Reserve conditionally\nconcurred. The National Guard stated that the risks associated with exchanging\nunencrypted files had been previously assessed by the Army and was\ncategorized as low. Additionally, the Designated Approval Authority for RCAS\nwill reexamine the subject risks during the next accreditation review, which is\nscheduled for November 2002. Accordingly, the National Guard felt that the\nrecommended action by the National Guard and the Army Reserve is not\nrequired. The Army Reserve stated that RCAS interfaces with other Army\nReserve systems within a secure network boundary, which minimizes the\nsecurity risks. The Army Reserve also cited initiatives to consolidate the RCAS\ninfrastructure into consolidated data centers with tightly controlled access in and\nout of those centers.\n\nAlthough not required to respond, the Army Deputy Chief Information Officer\n(The Army Deputy CIO) concurred. Citing his responsibilities as the\nDesignated Approving Authority for RCAS, he stated that the risks related to\nthe exchange of unencrypted files will be specifically examined during the\nscheduled reaccreditation of RCAS in November 2002. Further, the Army\nDeputy CIO will specifically review and determine whether RCAS file\nexchanges should continue to be unencrypted or additional security measures are\nmerited.\n\n\n\n\n                                    16\n\x0c5. We recommend that the Reserve Component Automation System Project\nManager develop a plan, prior to the Milestone IIIe review, for the\napproval of the Chief Information Officer, Department of the Army, that\nfunds the operation and support of the Reserve Component Automation\nSystem for FYs 2002 through 2007.\n\nManagement Comments. The National Guard, responding for the RCAS\nProject Manager, conditionally concurred. The RCAS Project Manager and the\nArmy CIO worked jointly to identify sufficient funding to sustain RCAS.\nAdditionally, the Army recently directed more than $300 million to address\nRCAS life-cycle shortfalls in funding. As a result, the Army Deputy Chief of\nStaff for Program Analysis and Evaluation declared RCAS as affordable.\n\nAlthough not required to respond, the Army Deputy CIO concurred and stated\nthat sufficient funding to sustain RCAS for FYs 2002 through 2007 had been\nidentified. Accordingly, the Army CIO certified on February 25, 2002, to the\nCIO, DoD, that RCAS out-year funding issues had been resolved. Because\nRCAS funding issues were resolved, the CIO, DoD, approved Milestone IIIe\nand authorized the fielding of RCAS Increment 6 on March 25, 2002.\n\n6. We recommend that the Assistant Secretary of the Army, Acquisition,\nLogistics and Technology, expedite a report, which was due by March 1,\n2001, to the Senate and House Committees on Armed Services, that details\nsufficient programmed funds for administrative support and mobilization\ncapability for RCAS for FYs 2002 through 2007.\n\nManagement Comments Required. The Assistant Secretary did not comment\non a draft of this report. We ask that the Assistant Secretary provide comments\non the final report.\n\n\n\n\n                                   17\n\x0cAppendix A. Audit Process\n\nScope and Methodology\n    We evaluated the basis for the certification made to Congress in response to\n    Section 8121(b), and the effectiveness of oversight provided by the Overarching\n    IPT, the Acquisition Oversight IPT, and the milestone reviews. Specifically,\n    we reviewed the certification process, including the compliance report prepared\n    by the RCAS PMO, briefing charts used to brief the Deputy CIO on the RCAS\n    certification process, and the certification report submitted to Congress by the\n    CIO.\n\n    We discussed various aspects of the RCAS certification process, procedures,\n    and information provided to Congress with staffs of the Director, Army\n    National Guard; the Director, Program Analysis and Evaluation; and the CIO.\n\n    We inquired about the oversight provided by the OSD Information Technology\n    Overarching IPT. We reviewed project documents dating from July 1987\n    through July 2001. We determined whether project officials adequately\n    prepared key documentation prior to the Milestone IIIc review on December 14,\n    1999.\n\n    We reviewed the Acquisition Decision Memorandums issued for the\n    Milestone IIIa (September 1996), IIIb (January 1998), and IIIc (May 2000)\n    reviews and determined whether the exit criteria provided in the Acquisition\n    Decision Memorandums were well-defined and enforced by the Milestone\n    Decision Authority and his staff. Finally, we reviewed the actions taken in\n    response to prior audits and reviews of the RCAS project.\n\n    General Accounting Office High-Risk Area. The General Accounting Office\n    has identified several high-risk areas in DoD. This report provides coverage of\n    the Information Management and Technology high-risk area.\n\n    Use of Computer-Processed Data. We did not use computer-processed data to\n    perform this audit.\n\n    Use of Technical Assistance. We received technical assistance from a\n    computer engineer in the Technical Assessment Division, Audit Followup and\n    Technical Support Directorate. The computer engineer reviewed RCAS\n    documentation on information security and testing. Specifically, the computer\n    engineer reviewed the system security authorization agreement, the certification\n    report, the risk assessment, the security user\xe2\x80\x99s manual, the security standing\n    operating procedures guide, and the system security architecture.\n\n    Audit Type, Dates, and Standards. We performed this audit from January\n    2001 through April 2002, in accordance with generally accepted government\n    auditing standards.\n\n\n                                       18\n\x0c    Contacts During the Audit. We visited or contacted individuals and\n    organizations within DoD. Further details are available upon request.\n\nPrior Coverage\n    Inspector General of the Department of Defense (IG DoD)\n\n    IG DoD Audit Report No. 97-019, \xe2\x80\x9cEvaluation of the Reserve Component\n    Automation System,\xe2\x80\x9d November 1, 1996\n\n    IG DoD Audit Report No. D-2000-137, \xe2\x80\x9cCertification of the Defense Civilian\n    Personnel Data System,\xe2\x80\x9d June 7, 2001\n\n\n\n\n                                      19\n\x0cAppendix B. Clinger-Cohen Act of 1996 and\n            Statutory Requirements\n   Clinger-Cohen Act of 1996. The CCA requires Federal agencies to focus on\n   the results achieved through IT investments while streamlining the IT\n   procurement process. Specifically, the CCA introduced additional precision and\n   structure into the way that agencies approach the selection, acquisition, and\n   management of IT. A primary requirement of the CCA was to establish the\n   position of the CIO for each Federal agency.\n\n   Therefore, in June 1997, the Secretary of Defense designated the ASD(C3I) as\n   the CIO for DoD and conferred the authority and responsibility for\n   implementing certain aspects of the CCA. The CIO responsibilities include:\n\n          \xe2\x80\xa2   designing and implementing a process for maximizing the value and\n              assessing and managing the risks of DoD IT acquisitions;\n\n          \xe2\x80\xa2   institutionalizing performance- and results-based IT management; and\n\n          \xe2\x80\xa2   providing advice and other assistance to the Secretary of Defense and\n              other senior DoD managers to ensure that IT acquisition and\n              information resources are managed in accordance with the policies of\n              the CCA.\n\n   The CIO is also responsible for the management and oversight of all DoD IT\n   systems. Specific responsibilities include overseeing the performance of IT\n   projects and measuring project progress through system milestone reviews.\n\n   Statutory Requirements. Congress enacted Section 8121(b) , \xe2\x80\x9cCertifications\n   as to Compliance with the Clinger-Cohen Act\xe2\x80\x9d of the DoD Appropriations Act\n   for FY 2000, which states:\n              (1) During the fiscal year 2000, a major automated information system\n              may not receive Milestone I approval, Milestone II approval, or\n              Milestone III approval within the Department of Defense until the\n              Chief Information Officer certifies, with respect to that milestone, that\n              the system is being developed in accordance with the Clinger-Cohen\n              Act of 1996 (40 U.S.C 1401 et seq.). The Chief Information Officer\n              may require additional certifications, as appropriate, with respect to\n              any such system.\n\n              (2) The Chief Information Officer shall provide the congressional\n              defense committees timely notification of certifications under\n              paragraph (1). Each such notification shall include, at a minimum, the\n              funding baseline and milestone schedule for each system covered by\n              such a certification and confirmation that the following steps have\n              been taken with respect to the system:\n\n\n\n\n                                            20\n\x0c             A)      Business process reengineering.\n\n             B)      An analysis of alternatives.\n\n             C)      An economic analysis that includes a calculation of the\n                     return on investment.\n\n             D)      Performance measures.\n\n             E)      An information assurance strategy consistent with DoD\n                     Command, Control, Communications, Computers,\n                     Intelligence, surveillance, and Reconnaissance\n                     Architecture Framework.\n\nSection 8121(b) requirements were only applicable during FY 2000. However,\nCongress extended essentially the same certification requirements through\nFY 2001 by enacting Section 8102(b), \xe2\x80\x9cCertifications as to Compliance with the\nClinger-Cohen Act,\xe2\x80\x9d of the DoD Appropriations Act for FY 2001. The DoD\nAppropriations Act for FY 2002, section 8104(b) again extended a certification\nrequirement prior to milestone approval, but limited the scope of that\nrequirement to major automated information systems for financial management\nand required that the Under Secretary of Defense (Comptroller) certify that the\nsystem is being developed in accordance with the DoD Financial Management\nModernization Plan.\n\n\n\n\n                                     21\n\x0cAppendix C. Summary of Management\n            Comments on the Finding and\n            Audit Response\n   Responding jointly for the Chief, National Guard Bureau and the RCAS PMO,\n   the National Guard Bureau Chief Information Officer and Program Executive\n   Officer for Information Systems disagreed with several topical area discussions\n   in the draft report. Management nonconcurred with our discussions of the\n   RCAS certification process, business process reengineering, analysis of\n   alternatives, economic analysis, performance measures, the integrating IPT,\n   milestone exit criteria, and the conclusion. Management also commented on\n   several inaccuracies in the draft report.\n\n   Management Comments on the RCAS Certification Process. Regarding the\n   qualifications for business process reengineering and analysis of alternatives\n   presented by the OSD review team in its briefing of the draft CIO RCAS\n   certification report, management indicated that the qualifications were not\n   merited. Management stated that the RCAS PMO provided an extensive set of\n   artifacts regarding the occurrence of and content of those activities.\n\n   Audit Response. As discussed in the report, the OSD review team did not\n   consider steps taken by the RCAS project sufficiently rigorous to meet the intent\n   of the CCA for business process reengineering or analysis of alternatives.\n\n   Management Comments on Business Process Reengineering. Management\n   stated that the CCA requires agencies to revise mission-related processes and\n   that the RCAS PMO provided a variety of documentation showing that business\n   processes were refined prior to significant RCAS investment. Additionally, the\n   CCA makes no mention of business process reengineering or specific techniques\n   to use for process revision. Citing functional process improvement that began\n   in 1989 and continued through the RCAS restructure in 1995, management cited\n   extensive study and documentation to create and refine core business processes\n   across 11 functional areas. By 1996, RCAS had completed business process\n   reengineering efforts and set requirements for all increments. Accordingly, it\n   would be unreasonable to expect the RCAS PMO or the functional users to\n   conduct further business process reengineering on any of the increments,\n   regardless of their occurring after the enactment of the CCA.\n\n   Audit Response. We agree with management on the stated requirements of the\n   CCA. However, Section 8121(b) required that the CIO, in the certification\n   report to Congress, describe steps taken in regard to business process\n   reengineering. The differences between business process reengineering and\n   business process improvements are discussed in the report. The report\n   recognized business process improvements undertaken during RCAS\n   development, but also it concluded that those efforts do not meet the higher\n   standards inherent in business process reengineering or the intent of the CCA.\n   We do not necessarily agree with management that once requirements are\n\n\n                                      22\n\x0cestablished, it is unreasonable to conduct further business process reengineering.\nSuch an approach may preclude leveraging subsequent technological or\nfunctional improvements.\n\nManagement Comments on Analysis of Alternatives. For the range of\nalternatives considered during the August 1996 analysis, management stated that\nthe analysis leading to the RCAS restructure in 1995 demonstrated that multiple\ntechnical solutions, project organizations, and day-to-day business processes\nwere evaluated before selecting the RCAS solution. Regarding the possible\noutsourcing of selected RCAS functions, management stated that, in meeting the\nFederal Activities Inventory Reform Act requirement for agencies to annually\nidentify those activities not inherently governmental, senior Army executives\nhave not identified any jobs or functions that RCAS supports. Further, the\nNational Guard outsources to the States those functions not uniquely military or\ninherently governmental.\n\nAudit Response. We acknowledge that the cited alternatives were analyzed\nprior to the RCAS restructure in 1995. However, the RCAS PMO provided no\nevidence that the analyses of alternatives, including those documented for the\nMilestone IIIa review in August 1996, considered the privatization of routine\nadministrative processes. Accordingly, we concluded that RCAS managers did\nnot meet one of the tenets of the CCA: determining whether the function could\nbe performed more effectively and at less cost by the private sector. We also\nacknowledge that the thrust of the Federal Activities Inventory Reform Act is to\nreduce the federal workforce by outsourcing those positions and activities that\nare not inherently governmental. However, that Act was not passed until\nOctober 1998, well past the period discussed. Because privatization of routine\nadministrative processes was not addressed by RCAS or functional officials in\nthe analysis of alternatives, we continue to conclude that the RCAS certification\nshould have been appropriately qualified.\n\nManagement Comments on Economic Analysis. Regarding the quantification\nand tracking of RCAS benefits, management stated that RCAS management has\nquantified the productivity improvements derived by the project by evaluating\nlabor requirements, cycle time, frequency, and output quality for RCAS\nprocesses. The RCAS PMO also performs post-implementation reviews to\nquantitatively track the actual realization of cost savings and productivity\nimprovements.\n\nAudit Response. We agree that RCAS quantitatively expressed cost and\nbenefits in the formal cost benefit analysis produced to support each increment.\nWe also agree that the productivity improvements for each increment are\nassessed and quantitatively expressed during each post-implementation review.\nHowever, that was not the intended focus of our discussion in the draft report.\nOur intent was to describe that the anticipated benefits of RCAS were primarily\nbased on productivity improvements and not on actual cost reductions or \xe2\x80\x9chard\xe2\x80\x9d\nsavings. We have amended the economic analysis discussion on page 8 of this\nfinal report to better express our intent.\n\n\n\n\n                                    23\n\x0cManagement Comments on Performance Measures. Management stated that\nkey functional requirements were established during the RCAS restructure in\n1995. Grouped into six performance measurement categories, these\nrequirements were then incorporated into the Acquisition Program Baseline.\nKey performance parameters and measures of effectiveness were then\ndesignated, including many functional performance measures such as\nmobilization order processing times and maintenance response times. To\ndetermine how well RCAS meets the key performance parameters, the Army\nTest and Evaluation Command employs both operational and mobilization\nactivities to measure functional performance. Additionally, the functional\nperformance of each RCAS increment is independently analyzed. As of March\n2002, management stated that more than 100 functional processes had been\nmeasured. This approach provides the RCAS Project Manager and the user\ncommunity with both functional and system performance measures.\nAs to the use of benchmarking, management stated that the RCAS functional\ncommunities used benchmarking during the process selection workshops\nconducted during the late 1980s. Additionally, benchmarking was used, among\nother techniques, during the RCAS restructure to derive low, medium, and\nhigh-risk alternative sustainment strategies. A \xe2\x80\x9dBenchmark Interview Guide\xe2\x80\x9d\nwas used to evaluate 4 existing Government programs and at least 15\ncommercial vendors.\n\nAudit Response. We agree that some of the measures established could be used\nas effective functional performance measures. However, the system of\nmeasures cited by management was established primarily to measure system\nperformance, to establish performance parameters for operational testing, and to\naid in determining the systems economic benefits. As expressed in the report,\nthe main purpose of functional performance measures is to enable the functional\ncommunity, or communities, to quantitatively assess the amount of functional\ngain provided from its investment in a new system. After the system is\ncompleted, ongoing measurement of functional performance should also enable\nthe functional community to continually assess whether investments in system\nmaintenance or upgrades are worthwhile from a functional perspective.\nAdditionally, continual measurement of functional performance provides a\nperformance baseline from which the functional gains attributable to future new\nsystems can be soundly determined.\n\nAs to benchmarking, management did not provide supporting documentation\nregarding the use of benchmarking in the late 1980s. Further, management\nstatements regarding the use of benchmarking to evaluate alternative sustainment\nstrategies could be misleading because they used benchmarking to select an\napproach to system maintenance, which is not relevant to functional\nperformance measures. However, because the functional communities\nsupported by RCAS did not establish a functional performance baseline prior to\nRCAS development, benchmarking could be of benefit in the establishment of\nfunctional performance measures. Benchmarks representing the functional\nperformance of leading organizations could be used as a functional performance\ngoal. A system of functional performance measures would enable RCAS users\nto measure progress toward achieving that goal.\n\n\n                                   24\n\x0cManagement Comments on Integrating Integrated Product Team. As to the\ndate of the Milestone IIIe review, management stated that the review occurred in\nOctober 2001, but that, as of January 2002, the related Acquisition Decision\nMemorandum had not been issued.\n\nAudit Response. We agree with management and have accordingly revised the\nreport.\n\nManagement Comments on Milestone Exit Criteria. In regards to the\neffectiveness of RCAS training, management stated that the exit criteria\nestablished by the DoD CIO for Milestone IIIc (Increment 3) were met. More\nimportant, management stated that substantial improvement had been made in\ntraining RCAS users since the fielding of Increment 3. Those improvements are\nillustrated in the operational testing reports of the Army Test and Evaluation\nCommand for Increments 4/5 and 6. Management stated that during the recent\nevaluation of RCAS Increment 6, the Army Test and Evaluation Command rated\ntraining as one of the project\xe2\x80\x99s areas of strength.\n\nAudit Response. As a result of management comments, we reviewed the\noperational test report for Increment 4/5. Because the operational test report\nwas not yet available, we also reviewed the Army Test and Evaluation\nCommand briefing charts for Increment 6 and discussed the adequacy of RCAS\nIncrement 6 training with Army Test and Evaluation Command personnel. As a\nresult, we agree that RCAS user training had significantly improved since\nIncrement 3 and was no longer a reportable weakness. Accordingly, we\nremoved the subject discussion and associated recommendation from this final\nreport.\n\nManagement Comments on Conclusion. Regarding the application of CCA\nprinciples to future RCAS increments that contain new functions, management\nstated that no new functions have entered the RCAS production process since\nthe project\xe2\x80\x99s Milestone III decision in 1996.\n\nAudit Response. Our intent was that RCAS managers reexamine business\nprocess reengineering and analysis of alternatives prior to initiating development\nof any future increment. Although the RCAS Milestone III was approved in\n1996, the dynamics of the IT marketplace continue to provide opportunities for\nenabling business process reengineering efforts. Accordingly, investments in\nfuture RCAS increments should be examined within the context of the\nClinger-Cohen Act. We revised the conclusion in this report to better express\nour intent.\n\nManagement Comments on Inaccuracies in the Draft Report. Management\nidentified items requiring correction, such as: RCAS is a project instead of a\nprogram; the head of the RCAS PMO is the project manager and not the project\nmanagement officer; and the Reserve Components should be referred to as the\nArmy Reserve Component.\n\nAudit Response. We made those corrections.\n\n\n\n                                    25\n\x0cAppendix D. Report Distribution\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense for Acquisition, Technology, and Logistics\nUnder Secretary of Defense (Comptroller)\n  Deputy Chief Financial Officer\n  Deputy Comptroller (Program/Budget)\n  Director, Program Analysis and Evaluation\nAssistant Secretary of Defense (Command, Control, Communications, and Intelligence)\n  Deputy Assistant Secretary of Defense (Deputy Chief Information Officer)\n      Director, Investment and Acquisition\n\nDepartment of the Army\nAssistant Secretary of the Army (Acquisition, Logistics, and Technology)\nInspector General, Department of the Army\nAuditor General, Department of the Army\nChief Information Officer\nChief, National Guard Bureau\n   Program Executive Officer for Information Systems\n      Project Manager, Reserve Component Automation System\nChief, Army Reserve\n\nDepartment of the Navy\nNaval Inspector General\nAuditor General, Department of the Navy\n\nDepartment of the Air Force\nAuditor General, Department of the Air Force\n\nOther Defense Organizations\nDirector, Defense Contract Audit Agency\nDirector, Defense Contract Management Agency\nDirector, Defense Finance and Accounting Service\nDirector, Defense Logistics Agency\nDirector, National Security Agency\n   Inspector General, National Security Agency\nInspector General, Defense Intelligence Agency\nInspector General, Defense Threat Reduction Agency\nCommandant, Defense Systems Management College\n\n\n\n                                          26\n\x0cNon-Defense Federal Organization\nOffice of Management and Budget\n  National Security Division\n  Office of Information and Regulatory Affairs\n\nCongressional Committees and Subcommittees, Chairman and\nRanking Minority Member\nSenate Committee on Appropriations\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Committee on Armed Services\nSenate Committee on Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on Defense, Committee on Appropriations\nHouse Committee on Armed Services\nHouse Committee on Government Reform\nHouse Subcommittee on Government Efficiency, Financial Management, and\n  Intergovernmental Relations, Committee on Government Reform\nHouse Subcommittee on National Security, Veterans Affairs, and International\n  Relations, Committee on Government Reform\nHouse Subcommittee on Technology and Procurement Policy, Committee on\n  Government Reform\n\n\n\n\n                                         27\n\x0c\x0cAssistant Secretary of Defense (Command,\nControl, Communications, and Intelligence)\nComments\n\n\n\n\n                      29\n\x0c30\n\x0cNational Guard Bureau Comments\n\n\n\n\n                    31\n\x0c32\n\x0c33\n\x0c34\n\x0c     Final Report\n      Reference\n\n\n\n\n     Revised\n\n\n\n\n35\n\x0cFinal Report\n Reference\n\n\n\n\nRevised\n\n\n\n\n               36\n\x0c     Final Report\n      Reference\n\n\n\n\n     Revised\n\n\n     Deleted\n\n\n\n\n37\n\x0cFinal Report\n Reference\n\n\n\n\nDeleted\n\n\nDeleted\n\n\n\n\n               38\n\x0c     Final Report\n      Reference\n\n\n\n\n     Revised\n     Page 13\n\n\n\n\n39\n\x0cFinal Report\n Reference\n\n\n\n\nRevised and\nRenumbered\nas\nRecommen-\ndation 3.\n\n\n\n\n               40\n\x0c         Final Report\n          Reference\n\n\n\n\n     Renumbered\n     as\n     Recommen-\n     dation 4.\n\n\n\n\n     Deleted\n\n\n\n\n41\n\x0cFinal Report\n Reference\n\n\n\n\nRenumbered\nas\nRecommen-\ndation 5.\n\n\n\n\nRevised\n\nRevised\n\nRevised\n\nRevised\n\nRevised\nPage 3\nDeleted\n\nRevised\nPage 18\n\n\n\n\n               42\n\x0c     Final Report\n      Reference\n\n\n\n\n     Revised\n     Page 27\n\n\n\n\n43\n\x0c44\n\x0cArmy Reserve Comments\n\n\n\n\n                   45\n\x0cFinal Report\n Reference\n\n\n\n\nRevised and\nRenumbered\nas\nRecommen-\ndation 3.\n\n\n\n\n               46\n\x0c     Final Report\n      Reference\n\n\n\n\n     Renumbered\n     as\n     Recommen-\n     dation 4.\n\n\n\n\n47\n\x0c               Army CIO Comments\nFinal Report\n Reference\n\n\n\n\nRenumbered\nas\nRecommen-\ndation 4.\n\n\n\n\nRenumbered\nas\nRecommen-\ndation 5.\n\n\n\n\n                                   48\n\x0c49\n\x0c50\n\x0c51\n\x0c52\n\x0c53\n\x0cAudit Team Members\nThe Acquisition Management Directorate, Office of the Assistant Inspector General for\nAuditing of the Department of Defense prepared this report. Personnel of the Office of\nthe Inspector General of the Department of Defense who contributed to the report are\nlisted below.\n\nMary Ugone\nWanda Scott\nJames Hutchinson\nAlvin Lowe\nJerry Hall\nChristine Winston\nJacqueline Pugh\n\x0c'